This is taken from the Cisco web page regarding the command established:
established
Permit return connections on ports other than those used for the originating connection based on an established connection.
[no] established <est_protocol> <dport> [sport] [permitto <protocol> <port>[-<port>]] [permitfrom <protocol> <port>[-<port>]]
clear established
show established
Syntax Description
dest_port
Specifies the destination port to use for the established connection lookup. This is the originating traffic's destination port and may be specified as 0 if the protocol does not specify which destination port(s) will be used. Use wildcard ports (0) only when necessary.
permitfrom
Used to specify the return traffic's protocol and from which source port(s) the traffic will be permitted.
permitto
Used to specify the return traffic's protocol and to which destination port(s) the traffic will be permitted.
src_port
Specifies the source port to use for the established connection lookup. This is the originating traffic's source port and may be specified as 0 if the protocol does not specify which source port(s) will be used. Use wildcard ports (0) only when necessary.
Command Modes
Configuration mode.
Usage Guidelines
The established command allows outbound connections return access through the PIX Firewall. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection inbound between the same two devices on an external host.
The first protocol, destination port, and optional source port specified are for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection.
--------------------------------------------------------------------------------
Note We recommend that you always specify the established command with the permitto and permitfrom options. Without these options, the use of the established command opens a security hole that can be exploited for attack of your internal systems. See the "Security Problem" section that follows for more information.
--------------------------------------------------------------------------------
The permitto option lets you specify a new protocol or port for the return connection at the PIX Firewall.
The permitfrom option lets you specify a new protocol or port at the remote server.
The no established command disables the established feature.
The clear established command removes all establish command statements from your configuration.
--------------------------------------------------------------------------------
Note For the established command to work properly, the client must listen on the port specified with the permitto option.
--------------------------------------------------------------------------------
You can use the established command with the nat 0 command statement (where there are no global command statements).
--------------------------------------------------------------------------------
Note The established command cannot be used with Port Address Translation (PAT).
--------------------------------------------------------------------------------
The established command works as shown in the following format:
established A B C permitto D E permitfrom D F
This command works as though it were written "If there exists a connection between two hosts using protocol A from src port B destined for port C, permit return connections through the PIX Firewall via protocol D (D can be different from A), if the source port(s) correspond to F and the destination port(s) correspond to E."
For example:
established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059
In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059.
For example:
established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535
In this case, if a connection is started by an internal host to an external host using UDP destination port 6060 and any source port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 1024-65535.
Security Problem
The established command has been enhanced to optionally specify the destination port used for connection lookups. Only the source port could be specified previously with the destination port being 0 (a wildcard). This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is not.
The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, external systems to which connections are made could make unrestricted connections to the internal host involved in the connection. The following are examples of potentially serious security violations that could be allowed when using the established command.
For example:
established tcp 0 4000
In this example, if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:
established tcp 0 0 (Same as previous releases established tcp 0 command.)
Examples
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454.
established tcp 9999 permitto tcp 5454 permitfrom tcp 4242
The next example allows packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454
XDMCP Support
PIX Firewall now provides support for XDMCP (X Display Manager Control Protocol) with assistance from the established command.
XDMCP is on by default, but will not complete the session unless the established command is used.
For example:
established tcp 0 6000 permitto tcp 6000 permitfrom tcp 1024-65535
This enables the internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value.
setenv DISPLAY hostname:displaynumber.screennumber
The established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the PIX Firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.
